Data Privacy Regulations in China

www.ChinaLawSolutions.com

 

When China's current legal structure is examined, it is seen that legal and technical measures regarding the protection of personal data and data security are implemented through various laws, secondary regulations, and guides containing compliance standards. At this point, the Personal Information Protection Law (PIPL) is the first comprehensive and nationally valid regulation regarding personal data. It is essential because it has various compliance standards that are legally binding for companies instead of guides and secondary regulations. T

What is Personal Data?

Personal data is information that relates to an identified individual. The concept of personal data is defined in the PIPL as "any information relating to an identified or identifiable natural person".

What Personal Data Covers

Personal data is not only the information that provides the definitive indentification of the individual, such as the name, surname, date of birth, and place of birth, but also information about the physical, familial, economic, social, and other characteristics of the person.

Data such as name, phone number, motor vehicle license plate, social security number, passport number, CV, picture, image and sound recordings, fingerprints, and genetic information are personal data due to their ability to make the person identifiable, albeit indirectly. 

What Is the Purpose of the Personal Information Protection Law?

According to the law, the purpose is to protect the fundamental rights and freedoms of individuals, particularly the privacy of private life, in the processing of personal data, and to regulate the obligations of natural and legal persons who process personal data and the procedures and principles to be followed. 

Why was the PIPL enacted?

The PIPL is aimed to prevent the unlimited and arbitrary collection of personal data, making it accessible to unauthorized persons or preventing the violation of individual rights as a result of abuse. 

Personal data should be created and stored by the data owner and the businesses that process and store the data in accordance with certain basic principles: 

a) Compliance with the law.

b) To be accurate and up to date.

c) To be processed for specific, explicit, and legitimate purposes.

d) To be limited and restrained in connection with the purpose for which they are collected and processed.

e) To be stored for as long as necessary for the purpose for which they are processed. 

The main scope of the PIPL is the control of personal data processing activities carried out by natural and legal persons within the borders of China, but sometimes personal data processing activities carried on outside the borders of China are also covered by the PIPL. This happens under several conditions.

Take a foreign company, for example, a US-based e-commerce site that sells across borders. If this company collects data from customers or potential customers in China, it must be concerned with PIPL.

Also, if a domestic or foreign company meets one or more of the following conditions, it must comply with the PIPL:

a) Providing products or services to natural persons in China.

b) Analyzing or evaluating the behavior of natural persons in China.

c) Other purposes stipulated in laws and administrative regulations. 

Conducting a personal data protection impact assessment is complementary to the obligation to appoint a data protection officer and local representative and the local data protection regime established by national regulations.

Similarities to GDPR

Similar to the GDPR applicable in the European Union, the Personal Data protection law in China protects data subjects, lays down the applicable rules for data processing, and frames the use of personal data with certain limits. PIPL is valid in China, valid in the European Union.

It is prepared under similar headings as GDPR and, in many ways, uses GDPR as the model regulation. On the other hand, it is not as detailed as GDPR. The impetus for the law is also different. The cross-border effect of PIPL, strict regulations in terms of data localization, and restrictions on data transfer abroad are caused by security concerns more than soley privacy concerns. 

Cross-Border Use of Personal Data 

A company that processes any personal data originating from China is considered to be subject to Chinese personal data security laws, regardless of its geographical location. The transfer of a Chinese citizen's data abroad from a business operating in China is prohibited, with few exceptions. For example, a Chinese citizen who has a CV and personal data in an HR firm can transmit this data to an HR firm abroad. 

Data Subjects' Rights in China According to PIPL 

· The data subject may request information about the collection and recording of his personal information and has the right to decide on the collection and storage of this information.

· The data subject has the right not to allow the processing of his personal information and to object to the permissions he has given in the past.

· Data owners have the right to copy their personal information from the business that records this data.

· The right to portability of personal information (allows individuals to obtain and reuse their personal data)

· The data owner may request that the information in his data be revised with updated information by applying it to the data processing companies.

· The data owner has the right to request the deletion of their personal information from the companies that have recorded this data under certain conditions.

Obligations of Data Hosting Businesses According to PIPL 

· These companies are obliged to protect personal data with encryption and other measures to ensure server security.

· Recording personal information according to the field of activity of the company, the software it uses, and the registration of the personal information. The company should be able to easily present these data to the authorities when a legal control is required.

· To determine active authorizations for personal information, to authorize limited personnel to access this data.

· To follow up-to-date developments in security procedures regarding personal information.

· To take other security measures stipulated by laws and regulations.

· To take "immediately" corrective actions in the event of a data incident and notify the Personal Information Protection Authorities and all affected individuals. 

Expand into China without setting up a company, by employing or relocating key staff to take a first step in exploring the market. A professional employer organization (PEO) service can act as the official employer of record (EOR) for your staff in China while you expand your business. With the support of our trusted partner network, we can facilitate local hiring and employment without the time and cost of setting up a legal entity in country.

Contact us for more information at inquiries@ChinaLawSolutions.com

 

 

 

 

 

 

Subscribe
PreviousNext
Profile picture
Cancel
Cookie Use
We use cookies to improve browsing experience, security, and data collection. By accepting, you agree to the use of cookies for advertising and analytics. You can change your cookie settings at any time. Learn More
Accept all
Settings
Decline All
Cookie Settings
Necessary Cookies
These cookies enable core functionality such as security, network management, and accessibility. These cookies can’t be switched off.
Analytics Cookies
These cookies help us better understand how visitors interact with our website and help us discover errors.
Preferences Cookies
These cookies allow the website to remember choices you've made to provide enhanced functionality and personalization.
Save